https://community.appian.com/support/w/kb/3806/kb-2380-information-about-the-apache-activemq-security-vulnerability-cve-2026-34197en-USTelligent Community 12https://community.appian.com/support/w/kb/3806/kb-2380-information-about-the-apache-activemq-security-vulnerability-cve-2026-34197Wed, 29 Apr 2026 15:07:38 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:112c995e-4e87-4e0e-a566-f4afc8ac4265Kaushal Patelhttps://community.appian.com/support/w/kb/3806/kb-2380-information-about-the-apache-activemq-security-vulnerability-cve-2026-34197#commentsCurrent Revision posted to Appian Knowledge Base by Kaushal Patel on 4/29/2026 3:07:38 PM<br /> <p><span style="font-weight:400;">On 17 April 2026, a critical vulnerability was </span><a href="https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html"><span style="font-weight:400;">discovered</span></a><span style="font-weight:400;"> related to the Apache ActiveMQ software. This vulnerability involves improper input validation and code injection within the Jolokia JMX-HTTP bridge. An authenticated attacker can exploit this flaw by invoking management operations through the Jolokia API to trick the broker into fetching a remote configuration file, leading to arbitrary code execution (RCE) on the broker&#39;s Java Virtual Machine (JVM). Affected versions of Apache ActiveMQ Classic include all versions prior to 5.19.4 and versions 6.0.0 through 6.2.2.</span></p> <p><span style="font-weight:400;">Appian has investigated this vulnerability and its services. While affected versions of Apache ActiveMQ are present within the Appian platform, we have confirmed that the Jolokia JMX-HTTP bridge and ActiveMQ web console are not used. Consequently, Appian services are not impacted by this vulnerability. As a proactive security measure, our engineering teams are currently upgrading these packages to the latest secure versions. We will continue to monitor the situation and provide updates as needed.</span></p> <h2 id="mcetoc_1jl7jgb3u1"><span style="font-weight:400;">Additional Notes:</span></h2> <p><span style="font-weight:400;">The following CVE was released with additional information on the scope of the vulnerability:</span></p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-34197"><span style="font-weight:400;">CVE-2026-34197</span></a><span style="font-weight:400;"> - (Apache ActiveMQ Improper Input Validation / Remote Code Execution)</span></p> <h2 id="mcetoc_1jl7jgb3u1"><span style="font-weight:400;">Supporting Documentation:</span></h2> <ul> <li style="font-weight:400;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-34197"><span style="font-weight:400;">https://nvd.nist.gov/vuln/detail/CVE-2026-34197</span></a></li> <li style="font-weight:400;"><a href="https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html"><span style="font-weight:400;">https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html</span></a></li> <li style="font-weight:400;"><a id="" href="https://www.helpnetsecurity.com/2026/04/09/apache-activemq-rce-vulnerability-cve-2026-34197-claude/">https://www.helpnetsecurity.com/2026/04/09/apache-activemq-rce-vulnerability-cve-2026-34197-claude/</a></li> </ul> <h2 id="mcetoc_1jl7jgb3u2"><span>Affected Versions</span></h2> <p><span>This article applies to all supported versions of Appian.</span></p> <p><span>Last reviewed:&nbsp;</span><span>April 29, 2026</span></p><div style="clear:both;"></div> https://community.appian.com/support/w/kb/3806/kb-2380-information-about-the-apache-activemq-security-vulnerability-cve-2026-34197/revision/2Wed, 29 Apr 2026 15:07:05 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:112c995e-4e87-4e0e-a566-f4afc8ac4265Kaushal Patelhttps://community.appian.com/support/w/kb/3806/kb-2380-information-about-the-apache-activemq-security-vulnerability-cve-2026-34197#commentsRevision 2 posted to Appian Knowledge Base by Kaushal Patel on 4/29/2026 3:07:05 PM<br /> <p><span style="font-weight:400;">On 17 April 2026, a critical vulnerability was </span><a href="https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html"><span style="font-weight:400;">discovered</span></a><span style="font-weight:400;"> related to the Apache ActiveMQ software. This vulnerability involves improper input validation and code injection within the Jolokia JMX-HTTP bridge. An authenticated attacker can exploit this flaw by invoking management operations through the Jolokia API to trick the broker into fetching a remote configuration file, leading to arbitrary code execution (RCE) on the broker&#39;s Java Virtual Machine (JVM). Affected versions of Apache ActiveMQ Classic include all versions prior to 5.19.4 and versions 6.0.0 through 6.2.2.</span></p> <p><span style="font-weight:400;">Appian has investigated this vulnerability and its services. While affected versions of Apache ActiveMQ are present within the Appian platform, we have confirmed that the Jolokia JMX-HTTP bridge and ActiveMQ web console are not used. Consequently, Appian services are not impacted by this vulnerability. As a proactive security measure, our engineering teams are currently upgrading these packages to the latest secure versions. We will continue to monitor the situation and provide updates as needed.</span></p> <h2 id="mcetoc_1jl7jgb3u1"><span style="font-weight:400;">Additional Notes:</span></h2> <p><span style="font-weight:400;">The following CVE was released with additional information on the scope of the vulnerability:</span></p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-34197"><span style="font-weight:400;">CVE-2026-34197</span></a><span style="font-weight:400;"> - (Apache ActiveMQ Improper Input Validation / Remote Code Execution)</span></p> <h2 id="mcetoc_1jl7jgb3u1"><span style="font-weight:400;">Supporting Documentation:</span></h2> <ul> <li style="font-weight:400;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-34197"><span style="font-weight:400;">https://nvd.nist.gov/vuln/detail/CVE-2026-34197</span></a></li> <li style="font-weight:400;"><a href="https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html"><span style="font-weight:400;">https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html</span></a></li> <li style="font-weight:400;"><a id="" href="https://www.helpnetsecurity.com/2026/04/09/apache-activemq-rce-vulnerability-cve-2026-34197-claude/">https://www.helpnetsecurity.com/2026/04/09/apache-activemq-rce-vulnerability-cve-2026-34197-claude/</a></li> </ul> <h2 id="mcetoc_1jl7jgb3u2"><span>Affected Versions</span></h2> <p><span>This article applies to all supported versions of Appian.</span></p> <p><span>Last reviewed:&nbsp;</span><span>April 29, 2026</span></p><div style="clear:both;"></div> https://community.appian.com/support/w/kb/3806/kb-2380-information-about-the-apache-activemq-security-vulnerability-cve-2026-34197/revision/1Wed, 29 Apr 2026 15:06:12 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:112c995e-4e87-4e0e-a566-f4afc8ac4265Kaushal Patelhttps://community.appian.com/support/w/kb/3806/kb-2380-information-about-the-apache-activemq-security-vulnerability-cve-2026-34197#commentsRevision 1 posted to Appian Knowledge Base by Kaushal Patel on 4/29/2026 3:06:12 PM<br /> <p><span style="font-weight:400;">On 17 April 2026, a critical vulnerability was </span><a href="https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html"><span style="font-weight:400;">discovered</span></a><span style="font-weight:400;"> related to the Apache ActiveMQ software. This vulnerability involves improper input validation and code injection within the Jolokia JMX-HTTP bridge. An authenticated attacker can exploit this flaw by invoking management operations through the Jolokia API to trick the broker into fetching a remote configuration file, leading to arbitrary code execution (RCE) on the broker&#39;s Java Virtual Machine (JVM). Affected versions of Apache ActiveMQ Classic include all versions prior to 5.19.4 and versions 6.0.0 through 6.2.2.</span></p> <p><span style="font-weight:400;">Appian has investigated this vulnerability and its services. While affected versions of Apache ActiveMQ are present within the Appian platform, we have confirmed that the Jolokia JMX-HTTP bridge and ActiveMQ web console are not used. Consequently, Appian services are not impacted by this vulnerability. As a proactive security measure, our engineering teams are currently upgrading these packages to the latest secure versions. We will continue to monitor the situation and provide updates as needed.</span></p> <h2 id="mcetoc_1jl7jgb3u1"><span style="font-weight:400;">Additional Notes:</span></h2> <p><span style="font-weight:400;">The following CVE was released with additional information on the scope of the vulnerability:</span></p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-34197"><span style="font-weight:400;">CVE-2026-34197</span></a><span style="font-weight:400;"> - (Apache ActiveMQ Improper Input Validation / Remote Code Execution)</span></p> <h2 id="mcetoc_1jl7jgb3u1"><span style="font-weight:400;">Supporting Documentation:</span></h2> <ul> <li style="font-weight:400;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-34197"><span style="font-weight:400;">https://nvd.nist.gov/vuln/detail/CVE-2026-34197</span></a></li> <li style="font-weight:400;"><a href="https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html"><span style="font-weight:400;">https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html</span></a></li> <li style="font-weight:400;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-34197%20https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html%20https://www.helpnetsecurity.com/2026/04/09/apache-activemq-rce-vulnerability-cve-2026-34197-claude/">https://www.helpnetsecurity.com/2026/04/09/apache-activemq-rce-vulnerability-cve-2026-34197-claude/</a></li> </ul> <h2 id="mcetoc_1jl7jgb3u2"><span>Affected Versions</span></h2> <p><span>This article applies to all supported versions of Appian.</span></p> <p><span>Last reviewed:&nbsp;</span><span>April 29, 2026</span></p><div style="clear:both;"></div>